TLSA records on OVH

Posted on 10 Sep 2014
2 mins read

DANE is a great way of improving security on the web by replacing SSL certificate authorities with DNS records
signed by DNSSEC. Basically, the certificate (or its fingerprint) is contained in a TLSA record, with some paremeters
that specify how clients should validate it.

However, if you’re hosting your DNS zone on OVH (or any other provider with a version of BIND that does not
support the TLSA RRtype), it gets a little bit more complicated: adding a TLSA record to your zone will make the web
interface complain that this RRtype is unknown.

EDIT: OVH now supports TLSA! See the update below.

However it is still possible to add TLSA records to OVH by using a “generic”, numeric RRtype. The format however is
quite different. But it can be easily created using the tlsa tool included in hash-slinger: